When the EU’s General Data Protection Regulation (GDPR) came into force in 2018, it became a legal requirement across the EU to collect explicit user consent in order to process any personal data.
Cookie banners were nothing new. Users were already very familiar with the phrase “By using this site you agree to use of cookies”, the go-to way of collecting consent. But the GDPR set stricter standards on what real consent looks like, meaning these banners had to be updated.
Except, specifications around what cookie banners should look like were vague. As VideoWeek reported at the time, we saw a wide range of interpretations. The interplay of GDPR and the ePrivacy Directive, an existing law which set rules of cookie consent, clouded matters.
Since then, it’s been left to data protection authorities to interpret the law. But this has led to a situation where different DPAs in different markets have drawn different conclusions.
Thus the European Data Protection Board (EDPB) had been brought into play. The EDPB exists to coordinate data policy across the EU. And in 2021, it convened a ‘Cookie Banner Task Force’ to coordinate responses to a number of different complaints filed by privacy advocacy group None of Your Business (NOYB) with various DPAs across Europe.
Now, the EDPB has adopted a report from the Cookie Banner Task Force. This report shows where data protection enforcers’ heads are at on some of the major questions around design of cookie consent mechanisms, setting some much-needed ground rules on what should be considered legitimate practice under GDPR. Here are the task force’s decisions on those major issues:
A ‘reject’ button must be displayed on the first layer – split decision
It’s clear that an option to actively reject use of cookies (other than rejecting by leaving the website) must be given. But many websites choose not to put this option on the first layer of the consent popup. Often two options, ‘Accept’ and ‘More Options’ or something similar will be provided, and a reject button is available after clicking ‘More Options’.
The vast majority agreed that on any layer of a consent mechanism where there’s an ‘Accept’ option, there should also be a ‘Reject’ option – but not all. A few noted that the relevant clause of the ePrivacy Directive doesn’t outright reference a ‘Reject’ button, meaning that not including a ‘Reject’ button on the first layer isn’t necessarily an infringement of EU law.
Pre-ticked boxes must not be used: agreed
It’s common on the second layer of a consent mechanism (where the user has chosen not to accept all cookies or reject all cookies immediately, but wants to refine which cookies they allow) to present a series of tick boxes for different categories of cookies. In some cases, websites pre-tick these boxes to encourage higher opt-in rates.
The task force agreed that this is not valid for consent, as it contravenes GDPR.
The reject option can’t be hidden in a link: split decision
In some cases seen by the task force, data controllers offer an ‘Accept’ button on the first layer of a consent mechanism, and then the ‘Reject’ option (or ‘More Details’ option) was hidden in a link instead.
This practice wasn’t outright voted down, but the task force did agree that the option to reject must be clear – websites shouldn’t deceive users into thinking they have to give consent in order to continue.
Additionally, the task force agreed that the following are not valid under EU law:
- Hiding the ‘Reject’ button (or other alternatives to granting consent) in a link which is embedded within a paragraph of text, without any visual support to draw the user’s attention towards that option.
- Hiding the ‘Reject’ button or any alternatives outside of the cookie banner itself.
Deceptive button colours and contrasts can’t be used: case-by-case
Use of colour and contrast on ‘Accept’ and ‘Reject’ buttons is seen by many as a ‘dark pattern’, used by websites to encourage higher opt-in rates by drawing more attention to the ‘Accept’ option. This can be a powerful tactic, given that consumers are often keen to click out of a cookie banner as soon as possible, looking for whichever button will close it down quickest.
The task force however said it is not possible to create a blanket rule about colour and contrast, and that consent mechanisms must be judged on a case-by-case basis. It did acknowledge though that some examples would be ‘manifestly misleading’ and contravene EU law – for example if the contrast between the ‘Reject’ text and the background is so minimal that the Reject option is unreadable.
Websites can’t use language around ‘legitimate interest’ to deceive users: agreed
‘Legitimate interest’ is a term outlined in GDPR, which allows businesses to process some personal data without user consent. There are no hard and fast rules about what legitimate interest is. But in general, a company can claim legitimate interest if processing of users’ data is essential – perhaps for a company or individual’s interests, or for a wider societal benefit – and where the impact on user privacy is minimal.
Legitimate interest is often claimed for cookies which are essential for basic website functions. Some companies have tried to claim legitimate interest as the basis for dropping cookies for personalised advertising – a notion which has been struck down by various DPAs already.
However, some cookie consent mechanisms appear to use vague language around legitimate interest in order to make users think they have to grant consent to all use of cookies.
The task force said that in some cases, the website ultimately ends up essentially relying on legitimate interest as the basis for non-essential data processing, thanks to this confusing language. In those cases, the cookie banner violated the GDPR.
A ‘withdraw consent’ option must be available via a ‘floating icon’: case-by-case
It’s a requirement under GDPR not only to gain consent for processing of personal data, but also to give users the option to withdraw that consent at any time, and for consent withdrawal to be as easy as granting consent in the first place.
The task force noted that many websites don’t have a floating ‘privacy settings’ icon which appears on every page of the website, allowing users to withdraw consent.
While the ability to withdraw consent is clearly necessary under GDPR, the task force agreed that specific withdrawal mechanisms can’t be imposed. So it’s not an obligation to have a ‘floating icon’ on each web page – even though this is arguably the most realistic way to make withdrawing consent as easy as granting it.
The task force says withdrawal mechanisms will have to be assessed on a case-by-case basis.
